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Abstract 

In 1974, Ralph Merkle proposed the first unclassified scheme for secure communications over 
insecure channels. When legitimate communicating parties are willing to spend an amount of 
computational effort proportional to some parameter N, an eavesdropper cannot break into 
their communication without spending a time proportional to N 2 , which is quadratically more 
than the legitimate effort. We showed in an earlier paper that Merkle's schemes are completely 
insecure against a quantum adversary, but that their security can be partially restored if the 
legitimate parties are also allowed to use quantum computation: the eavesdropper needed to 
spend a time proportional to N 3 / 2 to break our earlier quantum scheme. Furthermore, all pre- 
vious classical schemes could be broken completely by the onslaught of a quantum eavesdropper 
and we conjectured that this is unavoidable. 

We give two novel key establishment schemes in the spirit of Merkle's. The first one can 
be broken by a quantum adversary that makes an effort proportional to N 5 ^ 3 to implement a 
quantum random walk in a Johnson graph reminiscent of Andris Ambainis' quantum algorithm 
for the element distinctness problem. This attack is optimal up to logarithmic factors. Our 
second scheme is purely classical, yet it cannot be broken by a quantum eavesdropper who is 
only willing to expend effort proportional to that of the legitimate parties. 

Keywords: Merkle Puzzles, Key Establishment Schemes, Quantum Cryptography. 
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1 Introduction 



While Ralph Merkle was delivering the 2005 International Association for Cryptologic Research 
(IACR) Distinguished Lecture at the Crypto annual conference in Santa Barbara, describing his 
original unpublished 1974 scheme [16] for public key establishment (much simpler and more elegant 
than his subsequently published, yet better known, Merkle Puzzles PZ]), one of us (Brassard) 
immediately realized that this scheme was totally insecure against an eavesdropper equipped with a 
quantum computer. The obvious question was: can Merkle 's idea be repaired and made secure again 
in our quantum world? The defining characteristics of Merkle's protocol are that (1) the legitimate 
parties communicate strictly through an authenticated classical channel on which eavesdropping is 
unrestricted and (2) a protocol is deemed to be secure if the cryptanalytic effort required of the 
eavesdropper to learn the key established by the legitimate parties grows super-linearly with the 
legitimate work. 

We partially repaired Merkle's scheme in Ref. [8] with a scheme in which the eavesdropper 
needed an amount of work in Q(iV 3 / 2 ) to obtain the key established by quantum legitimate parties 
whose amount of work is in O(N). This was not quite as good as the work in f2(iV 2 ) required by a 
classical eavesdropper against Merkle's original scheme, but significantly better than the work in 
0(N) sufficient for a quantum eavesdropper against the same scheme. Two main questions were 
left open in Ref. [8J: 

1. Can the quadratic security possible in a classical world be restored in our quantum world? 

2. Is any security possible at all if the legitimate parties are purely classical, yet the eavesdropper 
is endowed with a quantum computer? 

We give two novel key establishment protocols to address these issues. In the first protocol, the 
legitimate parties use quantum computers and classical authenticated communication to establish a 
shared key after O(N) expected queries to two black-box random functions (which can be modelled 
with a single binary random oracle). We then give a nontrivial quantum cryptanalytic attack that 
uses a quantum random walk in a Johnson graph, much like Andris Ambainis' algorithm to solve 
the element distinctness problem [2], which allows a quantum eavesdropper to learn the key after 
@(7V 5 / 3 ) queries to the functions. Finally, we prove that our attack is optimal up to logarithmic 
factors. Therefore, we have not quite restored the quadratic security possible in a classical world, 
but we have made significant progress towards it. 

Second, we give a purely classical protocol, in which the legitimate parties use classical com- 
munication and classical computation to establish a key after O(N) calls to similar black-box 
random functions. We then attack this protocol with a quantum cryptanalytic algorithm that uses 
queries to the functions. As unlikely as it may sound, this attack is optimal (up to 
logarithmic factors) and therefore it is not possible to break this purely classical protocol with a 
quantum attack that uses an amount of resource linear in the legitimate effort. 

After a review (lifted from Ref. |5]) of Merkle's original idea, its meltdown against a quantum 
eavesdropper and our earlier partial quantum solution (Sect. EJ), we describe our new protocols 
(Sects. [3] and HJ, quantum attacks against them (Sects. 13.11 and 14. ip and proofs of optimality 
for those attacks (Sects. 13.21 and I4.2p . In Sect. [5j we mention an improvement on our classical 
scheme, which forces a successful eavesdropper to use Q(N 7 / 6 ) queries, but we leave the detail to a 
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subsequent paper. Section [6] concludes with conjectures about the existence of even better schemes. 
Some of the technical tools required by our quantum attacks are reviewed in the Appendix and a 
new lower-bound composition theorem is introduced. 

2 Merkle's Original Scheme and How to Break and Partially 
Repair It 

The first unclassified document ever written that pioneered public key establishment and public 
key cryptography was a project proposal written in 1974 by Merkle when he was a student in 
Lance Hoffman's CS244 course on Computer Security at the University of California, Berkeley [16]. 
Hoffman rejected the proposal and Merkle dropped the course but "kept working on the idea" and 
eventually published it as one of the most seminal cryptographic papers in the second half of the 
twentieth century [17j . Merkle's scheme in his published paper was somewhat different from his 
original 1974 idea, but both share the property that they "force any enemy to expend an amount of 
work which increases as the square of the work required of the two [legitimate] communicants" [T7] . 
It took 35 years before Boaz Barak and Mohammad Mahmoody-Ghidary proved that this quadratic 
discrepancy between the legitimate and eavesdropping efforts are the best possible in a classical 
world [3]. 

In his IACR Distinguished Lecture0, which he delivered at the Crypto '05 Conference in Santa 
Barbara, Merkle described from memory his first solution to the problem of secure communications 
over insecure channels. As a wondrous coincidence, he unsuspectingly opened up a box of old folders 
a mere three weeks after his Lecture and happily recovered his long-lost CS244 Project Proposal, 
together with comments handwritten by Hoffman |16j ! To quote his original typewritten words: 

Method 1: Guessing. Both sites guess at keywords. These 

guesses are one-way encrypted, and transmitted to the 
other site. If both sites should chance to guess at 
the same keyword, this fact will be discovered when 
the encrypted versions are compared, and this keyword 
will then be used to establish a communications link. 

Discussion: No, I am not joking. 

In more modern terms, let / be a one-way permutation. In order to "one-way encrypt" x, as 
Merkle said in 1974, we assume that one can compute f{x) in unit time for any given input x 
but that the only way to retrieve x given f{x) is to try preimages and compute / on them until 
one is found that maps to f(x). This is known as the black-box (or oracle) model. Hereinafter, 
in accordance with this model, efficiency is defined solely in terms of the number of calls to such 
black-box functions (there could be more than one). In the quantum case, these calls can be 
made in superposition of inputs. We also assume throughout this paper (as did Merkle) that an 
authenticated channel is available between the legitimate communicants, although this channel 
offers no protection against eavesdropping. 

1 www. iacr . org/publications/dl 
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The "keywords" guessed at by "both sites" are random points in the domain of /. They are "one- 
way encrypted" by applying / to them. If there are N 2 points in the domain of /, it suffices to guess 
0(N) keywords at each site before a variation on the birthday paradox makes it overwhelmingly 
likely that "both sites should chance to guess at the same keyword", which becomes their shared 
key. An eavesdropper who listens to the entire conversation has no other way to obtain this key 
than to invert / on the revealed common encrypted keyword. In accordance with the black-box 
model, this can only be done by trying on the average half the points in the domain of /before one 
is found that is mapped by / to the target value. This will require an expected number of calls to 
/ in £2(N 2 ), which is quadratic in the legitimate effort. 

Shortly thereafter, Whitfield Diffie and Martin Hellman discovered a celebrated method for 
public-key establishment that makes the cryptanalytic effort apparently exponentially harder than 
the legitimate effort [11] . However, no proof is known that the Diffie- Hellman scheme is secure 
at all since it relies on the conjectured difficulty of extracting discrete logarithms, an assumption 
doomed to fail whenever quantum computers become available. In contrast, Merkle's approach 
offers provable quadratic security against any possible classical attack, under the sole assumption 
that / cannot be inverted by any other means than exhaustive search. 

Next, we explain why Merkle's original proposal becomes completely insecure if the eavesdrop- 
per is capable of quantum computation (Merkle's published "puzzles" [17] are equally insecure). 
We then sketch a protocol from Ref. [8] that is not completely broken. This is be achieved by 
granting similar quantum computation capabilities to one of the legitimate communicating parties. 

2.1 Quantum Attack and Partial Remedy 

Let us now assume that function / can be computed quantum mechanically on a superposition 
of inputs. In this case, Merkle's original scheme is completely compromised by way of Grover's 
algorithm [12]. Indeed, this algorithm needs only 0(V N 2 ) = O(N) calls on / in order to invert it 
on any given point of its image, making the cryptanalytic task as easy (up to constant factors) as 
the legitimate key setup process. El 

To remedy the situation, we allow the communicating parties to use quantum computers as 
well (actually, one of the parties will remain classical), and we increase the domain of / from N 2 
to iV 3 points. Instead of having both sites transmit one-way encrypted guesses to the other site, 
one site called Alice chooses N distinct random values x±, x%, . . . , xn and transmits them, one-way 
encrypted by the application of /, to the other site called Bob. Let Y = {f(xj) | 1 ^ i ^ N} denote 
the set of encrypted keywords received by Bob, which becomes known to the eavesdropper. Now, 
Bob defines Boolean function g on the same domain as / by 



2 If an unstructured search problem has t solutions among M candidates, Grover's algorithm |12| . or more precisely 
its so-called BBHT generalization [BJ, can find one of the solutions after 0(*J r M jt ) expected calls to a function that 
recognizes solutions among candidates. However, Theorem 4 of Ref. [7J implies that, whenever the number t > is 
known, a solution can be found with certainty after 0(^jM/t) calls to that function in the worst case. From now 
on, when we mention Grover's algorithm or BBHT, we really mean this improvement according to Ref. [TJ. 




otherwise . 
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Out of iV 3 points in the domain of /, there are exactly t = N solutions to the problem of 
finding an x so that g(x) = 1. It suffices for Bob to apply the BBHT generalization [6] of Grover's 
algorithm |12| . which finds such an x after 0(\/N 3 /t) = 0(V N 2 ) = O(N) calls on g (and therefore 
on /). Bob sends back f(x) to Alice, who knows the value of x because she was careful to keep 
her randomly chosen points. Therefore, it suffices of O(N) calls on / by Alice and Bob for them 
to agree on key x.H 

The eavesdropper, on the other hand, is faced with the need to invert / on a specific point of 
its image. Even with a quantum computer, this requires a number of calls on / proportional to 
the square root of the number of points in its domain [5], which is £l(V N 3 ) = f^iV 3 / 2 ). This is 
more effort than what is required of the legitimate parties, yet less than quadratically so, as would 
have been possible in a classical world. Even though we have avoided the meltdown of Merkle's 
original approach, the introduction of quantum computers available to all sides seems to be to 
the advantage of the codebreakers. Can we remedy this situation? Furthermore, is any security 
possible at all against a quantum computer if both legitimate parties are restricted to being purely 
classical? We address these two questions in the rest of this paper. 

3 Improved Quantum Key Establishment Scheme 

For any positive integer N, let [N] denote the set of integers from 1 to N. We describe our novel key 
establishment protocol assuming the existence of two black-box random functions / : [N 3 ] — > [N k ] 
and g : [iV 3 ] x [iV 3 ] -»• [N k '] that can be accessed in quantum superposition of inputs. Constants k 
and k' are chosen large enough so that there is no collision in the images of / and g, except with 
negligible probability. (For simplicity, we shall systematically disregard the possibility that such 
collisions might exist.) Notice that a single binary random oracle (which "implements" a random 
function from the integers to {0, 1}) could be used to define both functions / and g provided we 
disregard logarithmic factors in our analyses since 0(log N) calls to the random oracle would suffice 
to compute / or g on any single input. For this reason, it is understood hereinafter that all our 
results are implicitly stated "up to logarithmic factors" . As mentioned in the previous section, the 
only resource that we consider in our analyses of efficiency and lower bounds is the number of calls 
made to these functions or, equivalently, to the underlying binary random oracle. 

Protocol 1. 

1. Alice picks at random N distinct values {xi]f =l with X{ E [TV 3 ] and transmits the encrypted 
values yi = f(xj) to Bob. Let X and Y denote {xi | 1 ^ i ^ N} and {yi | 1 ^ % ^ N}, 
respectively. Note that Alice knows both X and Y, whereas Bob and the eavesdropper have 
immediate knowledge (i.e. without querying the black-box for function f) ofY only. 

2. Bob finds the pre-images x and x' of two distinct random elements in Y. To find each one 
of them, he uses BBHT ffj^ to search for an x such that 4>(x) = 1, where 4> '■ [-^ 3 ] - ► {0, 1} is 

3 As we made clear already, we are only concerned in this paper by the number of calls made to black-box functions. 
Nevertheless, if we cared also about computational efficiency, Bob would sort the elements of Y in increasing order 
after receiving them from Alice so that he can quickly determine, given any y = f(x), whether or not y £ Y, which is 
needed to compute function g. Alternatively, universal hashing could be used |10j . 
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defined as follows: 

1 iff(x)€Y 



4>{x) 



otherwise . 



There are exactly N values of x such that 4>{x) = 1, out of N points in the domain of 4>. 
Therefore, Bob can find one such random x with 0{^J N 3 JN) = 0(N) calls to function f. 
He needs to repeat this process twice in order to get both x and x' . (A small variation in 
function <f> can be used the second time to make sure that x' ^ x). 

3. Bob sends back w = g(x,x') to Alice. 

4- Because Alice had kept her randomly chosen set X, there are only N 2 candidate pairs 
(xi,Xj) £ X x X such that g(xi,Xj) could equal w. Using Grover's algorithm, she can find 
the one pair (x,x') that Bob has in mind with 0(V N 2 ) = O(N) calls to function g. 

5. The key shared by Alice and Bob is the pair (x,x'). 

All counted, Alice makes N calls to / in step Q] and O(N) calls to g in step 01 whereas Bob 
makes O(N) calls to / in step [2] and a single call to g in step El If the protocol is constructed over 
a binary random oracle, it will have to be called 0(N log N) times since it takes 0(log N) binary 
queries to compute either function on any given input. 



3.1 Quantum Attack 

All the obvious (and not so obvious) cryptanalytic attacks against this scheme, such as direct use 
of Grover's algorithm (or BBHT), or even more sophisticated attacks based on amplitude amplifi- 
cation [7], require the eavesdropper to call Q(N 2 ) times functions / and/or g. Unfortunately, a more 
powerful attack based on the more recent paradigm of quantum walks in Markov chains |18j allows 
the eavesdropper to recover Alice and Bob's key (x,x') with an expected 0(N 5 ^ 3 ) calls to / and 
O(N) calls to g. This attack was inspired by Ambainis' quantum algorithm for element distinct- 
ness [2], which can find the unique pair (i,j) such that c(i) = c(j) with 0(N 2 / 3 ) expected queries 
to single-collision function c whose domain contains ./V elements (whereas all previous approaches 
based on Grover's algorithm and amplitude amplification [HIE] had required Q(N 3 ^) queries). 

Theorem 1. There exists an eavesdropping strategy that outputs the pair (x,x ! ) in Protocol{l\ with 
0(iV 5 / 3 ) expected quantum queries to functions f and g. 

Proof. In a nutshell, we apply Ambainis' algorithm for element distinctness with two modifications: 
(1) instead of looking for i and j such that c(i) = c(j), we are looking for x and x' such that 
g(x,x') = w and (2) instead of being able to get randomly chosen values in the image of c with a 
single call to oracle c per value, we need to get random elements of X by applying BBHT on the 
list Y, which requires 0(^J N 3 /N) = O(N) calls to oracle / per element. The second modification 
explains why the number of calls to /, compared to 0(N 2j/3 ) calls to c for element distinctness, 
is multiplied by O(N). Hence, we need 0(iV 5//3 ) calls to function /. To determine the number of 
calls required to function g, however, we have to delve deeper into the eavesdropping algorithm. 

The eavesdropping algorithm uses a quantum walk on a Johnson graph — see the Appendix for 
a review of this topic. Each node of the graph contains some number r (to be determined later) 



6 



of distinct elements of X. We are looking for a node that contains the two elements x and x' such 
that g(x,x') = w, where w is the value announced by Bob in step [3] of the protocol. We apply 
Theorem [5] (Appendix) to analyse the cost of a quantum walk on this graph J2[ [18]. The set up 
cost S corresponds to finding r random elements of X. Since BBHT can be used to find one such 
element with O(N) calls to /, and even to find an element of X guaranteed to be different from 
those already in the initial node (provided k <C N, which it will be), S = 0{rN) calls to /. The 
update cost U corresponds to finding one random element of X not already in the node, which is 
U = 0(A) calls to /, again by BBHT. The checking cost C requires us to decide if there is a pair 
(x, x') of elements in the node such that g(x,x') = w, which can be done with 0{Vr 2 ) = 0(r) 
calls to g using Grover's algorithm since there are r 2 pairs of elements in the node. Putting it all 
together, the expected cryptanalytic cost is 

S + 0(f(v^U + Q) 
= 0((rN calls to /) + f (y/r(N calls to /) + (r calls to g))) 
= O (rN + N 2 /^) calls to / and 0(N) calls to g . 

To minimize the number of calls to /, we choose r so that rN = A 2 /-^/?, which is r = A 2 / 3 . It fol- 
lows that a quantum eavesdropper is able to find the key (x, x') with an expected 0{rN) = 0(A 5 / 3 ) 
calls to / and 0(A) calls to g. □ 

Note that the use of Grover's algorithm in the checking step was not necessary to prove 
Theorem [TJ Should this step be carried out classically, this would result in C = 0(r 2 ) calls to g. 
The net result would be that the key is found after an expected 0(A 5 / 3 ) calls to / and also 0(A 5 / 3 ) 
calls to g. 

3.2 Lower Bound 

The proof that the quantum attack described above against our protocol is optimal proceeds in 
three steps. 

1. We define a search problem reminiscent of element distinctness; 

2. We prove a lower bound on the difficulty to solve this search problem; and 

3. We reduce this search problem to the eavesdropping problem against our protocol. More 
precisely, we show that any attack on our key establishment scheme that would have a non- 
vanishing probability of success after o(A 5//3 ) calls to functions / and g could be turned into 
an algorithm capable of solving the search problem more efficiently than possible. 

First, consider a function c : [A] — > [A] so that there exists a single pair 1 ^ % < j S-5 N, 

for which c(i) = c(j). Ambainis' quantum algorithm for element distinctness [2] can find this pair 
with 0{N 2 / 3 ) queries to function c and Scott Aaronson and Yaoyun Shi proved that this is optimal 
even for the decision version of this problem [1] . 

Now, consider a function h : [N] x [A^ 2 ] —> [A]', where [N]' denotes {0} U [A]. The domain of 
this function is composed of A "buckets" of size A 2 , where h(i,-) corresponds to the i th bucket, 
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1 ^ i ^ N. In bucket i, all values of the function are except for one single random Uj G [A^ 2 ] for 
which h(i,Vi) = c(i): 

( c(i) if j = Vi 
otherwise . 



h(i,j) 



It follows from the definitions of c and h that there is a single pair of distinct a and 6 in the domain 
of h such that h(a) = h(b) ^ 0. How difficult is it to find this pair given a black box for function h 
but no direct access to c? 

Lemma 1. Given h structured as above, finding the pair of distinct elements a and b in the 
domain of h such that h(a) = h(b) ^ requires £L(N 5 ' 3 ) quantum queries to h, except with vanishing 
probability. 

Proof. This problem can be modelled as the composition of element distinctness across buckets 
with finding the single non-zero entry in each bucket. It is therefore a special case of technical 
Lemma [5l stated in the Appendix, with parameters k = N (the number of buckets) and rj = N 2 
(the size of the buckets). It follows that finding the desired pair (a, b) requires 

ft( K 2 /y/ 2 ) = q(n 2 / 3 Vn^) = n{N 5 / 3 ) 

quantum queries to h, except with vanishing probability. □ 

Consider now a slightly different search problem in which there are no buckets anymore, but 
there is an added coordinate in the image of the function: h! : [N s ] — > [N]' x [N]' is defined 
so that h'(a) = (0,0) on all but N randomly chosen points in its domain, namely wi, u>2,- • • , 
wn . On these N points, h'{wi) = (i,c(i)), where c is the function considered at the beginning 
of this section. We are required to find the unique pair of distinct a and b in [A^ 3 ] such that 
iT2(h'(a)) = W2(h'(b)) / 0, where "112" denotes the projection on the second coordinate (similarly 
for " 7Ti " ) . The lower bound on the earlier search problem concerning h implies directly the same 
lower bound on the new search problem concerning h 1 since any algorithm capable of solving the new 
problem can be used at the same cost to solve the earlier problem through randomization. In other 
words, the more structured version of the problem cannot be harder than the less structured one. 
The next Lemma formalizes the argument above. 

Lemma 2. Given h' structured as above, finding the pair of distinct elements a and b in the 
domain of h! such that TT2(h'(a)) = -K^ih'Q))) / requires tt(N 5 / 3 ) quantum queries to h' , except 
with vanishing probability. 



Proof. Define intermediary function h : [N] x [A^ 2 ] — > [N]' x [N]' by 



(i,h(i,j)) = (t,c(i)) ifh(i,j)^0 
(0,h(i,j)) = (0,0) otherwise. 



It is elementary to reduce the search problem concerning h to the one concerning h as well as the 
search problem concerning h to the one concerning h! . Therefore, the lower bound concerning h 
given by Lemma [T] applies mutatis mutandis to h' . □ 
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Finally, we show how to reduce the search problem concerning h! to the cryptanalytic difficulty 
for the eavesdropper to determine the key that Alice and Bob have established by using our protocol. 
This is the last step in proving the security of our scheme. 

Theorem 2. Any eavesdropping strategy that recovers the key (x,x ! ) in protocol [7] requires a total 
o/Q(A 5 / 3 ) quantum queries to functions f and g, except with vanishing probability. 

Proof. Consider any eavesdropping strategy A that listens to the communication between Alice 
and Bob and tries to determine the key (x, x') by querying black-box functions / and g. In fact, 
there are no Alice and Bob at all! Instead, there is a function h! : [A 3 ] — > [N]' x [A]' as described 
above, for which we want to solve the search problem by using unsuspecting A as a resource. 

We start by supplying A with a completely fake "conversation" between "Alice" and "Bob": 
for sufficiently large k and k' , we choose randomly N points y\, y2,. ■ ■ , yN in [N k ] and one point 
w G [N k ] and we pretend that Alice has sent the y's to Bob and that Bob has responded with w. 
We also choose random functions / : [A 3 ] — > [N k ] and g : [A 3 ] x [A 3 ] — > [N k ] as well as a random 
Boolean s G {true, false}. Note that the selection of / and g may take a lot of time, but this does 
not count towards the number of queries that will be made of function h', and our lower bound on 
the search problem concerns only this number of queries. We could be tempted to choose randomly 
the values of / and g on the fly, whenever they are needed, but this is not an option for a quantum 
process because the values returned must be consistent whenever the same input is queried in 
different paths of the superposition. The Boolean s indicates, when true (resp. false), that the fake 
"execution" is such that "Bob" has first picked x and then x' such that x < x' (resp. x' > x). Both 
cases happen with probability 72 in any real execution and for any public announcements Y and 
w. The value s will be used in the reduction to distinguish between g(x,x') and g(x',x) so that 
only g(x,x') will be set to w. 

Now, we wait for ^4's queries to / and g. 

• When A asks for f{i) for some i G [A 3 ], there are two possibilities. 

— If h'{i) = (0,0), return f{i) to A as value for f{i). 

— Otherwise, return y^h'ii)) ■ 

• When A asks for g(i,j) for some i,j G [A 3 ], there are again two possibilities. 

— If TT2(h'(i)) = TT2(h'(j)) 7^ and either s is true and i < j or s is false and i > j, return 
w as value for g(i,j). 

— Otherwise, return g(i,j). 

Suppose A happily returns the pair (i,j) for which it was told that g(i,j) = w, which is what 
a successful eavesdropper is supposed to do. This pair is in fact the answer to the search problem 
concerning h! since g(i,j) = w implies that iT2{h'(i)) = -^(//(j)) 7^ 0, except with the negligible 
probability that g{i' ,j') = w for some query that A asks about g. 

Queries asked by A concerning / and g are answered in the same way as they would be if / and 
g were two random functions consistent with the Y and w announced by Alice and Bob during the 
execution of a real protocol. To see this, remember that Y (subset of [N k ]) and w (element of [N k ]) 
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are uniformly picked at random in both the simulated and the real worlds. Moreover, the simulated 
function / is such that f(i) is random when h'(i) = (0,0). The remaining N output values are 
in Y, as expected by A. On the other hand, the simulated function g is random everywhere except 
for one single input pair (i, j), i 7^ j for which g(i,j) = w, as it is also expected by A. Therefore, 
A will behave in the environment provided by the simulation exactly as in the real world. Since 
we disregard the negligible possibility that g might not be be one-to-one, the reduction solves the 
search problem concerning h! whenever A succeeds in finding the key. Notice finally that each 
(new) question asked by A to either f or g translates to one or two questions actually asked to h! . 

It follows that any successful cryptanalytic strategy that makes o(iV 5//3 ) total queries to / and 
g would solve the search problem with only o(iV 5 / 3 ) queries to function h' , which is impossible, 
except with vanishing probability. This demonstrates the S7(iV 5//3 ) lower bound on the cryptanalytic 
difficulty of breaking our key establishment protocol, again except with vanishing probability, which 
matches the upper bound provided by the explicit attack given in Sect. 13.11 □ 

4 Fully Classical Key Establishment Scheme 

In this section, we revert to the original setting imagined by Merkle in the sense that Alice and 
Bob are now purely classical. However, we allow full quantum power to the eavesdropper. Recall 
that Merkle's original schemes |161 [T7] are completely broken in this context [SJ. Is it possible 
to restore some security in this highly adversarial (and unfair!) scenario? The following purely 
classical key establishment protocol, which is inspired by our quantum protocol described in the 
previous section, provides a positive answer to this conundrum. 

This time, black-box random functions / and g are defined on a smaller domain to compen- 
sate for the fact that classical Alice and Bob can no longer use Grover's algorithm. Specifically, 
/ : [iV 2 ] — > [N k ] and g : [N 2 ] x [iV 2 ] — > [N k ], again with sufficiently large k and k' to avoid collisions 
in these functions, except with negligible probability {k and k' need not be the same here as in 
the previous section). As before, these two functions could be replaced by a single binary random 
oracle. For simplicity, we choose iV to be a perfect square. 

Protocol 2. 

1. Alice picks at random N distinct values {xi\f =l with X{ G [iV 2 ] and transmits the encrypted 
values yi = f{xj) to Bob. Let X and Y denote {xj | 1 ^ i ^ N} and {yi | 1 ^ % ^ N}, 
respectively. 

2. Bob finds the pre-images x and x' of two distinct random elements in Y. To find each one of 
them, he chooses random values in [N 2 ] and applies f to them until one is found whose image 
is in Y. By virtue of the birthday paradox, he is expected to succeed after 0(V N 2 ) = O(N) 
calls to function f. Until now this is identical to Merkle's original scheme, except for the fact 
that Bob needs to find two elements of X rather than one. 

3. Bob sends back w = g(x,x') to Alice. In addition, he chooses \fN — 2 random elements from 
Y \ {f(x), f(x')} and he forms a set Y' of cardinality yN by adding f(x) and f(x') to those 
elements. He sends the elements of Y' to Alice in increasing order of values. 
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4- Because Alice had kept her randomly chosen set X , she knows the preimages of each element 
of Y' . Let X' denote {x G X \ f(x) £ Y'}. By exhaustive search over all pairs of elements 
of X' , Alice finds the one pair (x,x') such that g(x,x') = w. 

5. The key shared by Alice and Bob is the pair (x, x'). 

All counted, Alice makes N calls to / in step [Hand at most N calls to g in step 0] because there 
are y/~N = N pairs of elements of X' and one of them is the correct one. As for Bob, he makes 
an expected O(N) calls to / in step [2] and a singe call to g in stepEJ The total expected number 
of calls to / and g is therefore in O(N) for both legitimate parties. 

4.1 Quantum Attack 

Theorem 3. There exists an eavesdropping strategy that outputs the pair (x,x r ) in Protocol^ with 
0(iV 13//12 ) expected quantum queries to functions f and g. 

Proof. A quantum eavesdropper can set up a walk in a Johnson graph very similar to the one 
explained in Sect. 13. 1\ except that now the nodes in the graph contain some number r (to be 
determined later) of distinct elements of X' (rather than of X). The eavesdropper can find random 
elements of X' from his knowledge of Y' with an expected 

o(^/n 2 /Vn^j =o{n 3 / 4 ) 

calls to / per element of X' . Therefore, S = 0(rN 3 / 4 ) calls to /, U = 0(N 3 / A ) calls to / and 
C = 0(r) calls to g. Furthermore, 5 is still 0(l/r) but e = Q(r 2 /N). 

Putting it all together, the expected quantum cryptanalytic cost is 

s + o(^(VFu + c)) 

= O ((riV 3 / 4 calls to /) + & ^(N 3/i calls to /) + (r calls to g)Y\ 
= O (rN 3/4 + iV 5/4 /^) calls to / and 0(y/N) calls to g . 

To minimize the number of calls to /, we choose r so that rN 3 ^ = N 5 ^/y/r, which is 
r = N 1 / 3 . It follows that a quantum eavesdropper is able to find the key (x, x') with an expected 
0(rA^ 3 / 4 ) = 0(N 13 / 12 ) calls to / and 0(VN) calls to g. □ 

4.2 Lower Bound 

The proof that it is not possible to find the key (x,x') with fewer than f2(iV 13 / 12 ) calls to / and g, 
except with vanishing probability, follows the same lines as the lower bound proof in Sect. 13.21 It is 
therefore possible for purely classical Alice and Bob to agree on a shared key after calling / and 
g an expected number of times in the order of N whereas it is not possible, even for a quantum 
eavesdropper, to be privy of their secret with an effort in the same order, except with vanishing 
probability. 
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We refer the reader to Sect. [3] for the meaning of notation [N] and to Sect. 13 .21 for the definitions 
of projectors 7Ti,7T2, and the meaning of notation [N]' . 

Consider a function c : [y/N ] — > [y/~N ] so that there is a single pair 1 ^ i < j ^ V~N, 

for which c(i) = c(j). Aaronson and Shi's lower bound [1] tells us that finding this pair requires 
tt((\fN) 2 / 3 ) = QiN 1 / 3 ) calls to function c. Now, consider a function h : [\/N ] x [A 3 / 2 ] -> [\/N ]' 
where h(i,-) denotes the i th bucket, 1 ^ i ^ \/N. In bucket i, all values of the function are 
except for one: there is a single random vi £ [A 3 / 2 ] such that h(i,Vi) = c(i). It follows from the 
definitions of c and h that there is a single pair of distinct a and b in the domain of h such that 
h(a) = h{b) ± 0. 

Lemma 3. Given h structured as above, finding the pair of distinct elements a and b in the domain 
of h such that h(a) = h(b) ^ requires quantum queries to h, except with vanishing 

probability. 

Proof. The proof is identical to the one for Lemma [H mutatis mutandis. It is again a special case 
of Lemma [5j but with parameters k = \/N (the number of buckets) and rj = N 3 / 2 (the size of the 
buckets). It follows that finding the desired pair (a, b) requires 

tt( K 2/ y /2 ) = fi(Viv 2/3 7iv^) = n(N 13 / 12 ) 

quantum queries to h, except with vanishing probability. □ 

Let h! : [N 2 ] -> [\/N }' x [\/N }' denote the unstructured version of the same search problem 
for h, defined the same way as in Sect. 13.21 mutatis mutandis. There is a single pair of distinct 
elements a and b such that iT2(h'(a)) = T2(h'{b)) 7^ 0. The problem of finding this pair is at least 
as difficult as finding the collision in h. 

Lemma 4. Given h! structured as above, finding the pair of distinct elements a and b in the 
domain of h! such that it2{h'{a)) = ^{hHjo)) 7^ requires quantum queries to h! , except 

with vanishing probability. 

It remains to show that the search problem concerning h! reduces to the cryptanalytic difficulty 
for the eavesdropper to determine the key established by Alice and Bob. 

Theorem 4. Any eavesdropping strategy that recovers the key (x,x') in protocol [2 requires a total 
of 0(iV 13 / 12 ) quantum queries to functions f and g, except with vanishing probability. 

Proof. Consider any eavesdropping strategy A that listens to the communication between Alice 
and Bob and tries to determine the key (x, x') by querying the black-box functions / and g. 
As before, the reduction does not have access to Alice and Bob but instead, to a function 
h! : [N 2 ] -> [\fN )' x [yfN )' as described above and given as an oracle, for which we want to solve 
the search problem by using A as a resource. 

We choose random functions / : [N 2 ] — > [N k ] and g : [A^ 2 ] x [N 2 ] — > [N k '], as well as a random 
Boolean s S {true, false}, which has the same purpose as in the proof of Theorem [2j Let Im(/) 
denote the image of function /. We then supply A with a fake "conversation" between "Alice" and 
"Bob" : we choose randomly \/N points y[, y' 2 ,. ■ ■ , v' in [A fe ], N—\/N points yi,V2, ■ ■ ■ , y^-v^/v ^ n 



12 



Im(/) and one point w G [N k '\. We pretend that Alice has sent the list Y = {y\, yi, . . . , y N _^jf} U 
{y'i,y'2, ■ ■ ■ , u'^} to Bob (in random order) and that Bob has responded with Y' = {y[,y' 2 , ■ ■ ■ , 
(in increasing order) and w. 

Now, we wait for A's queries to / and g. 

• When A asks for f(i) for some i G [N 2 ], there are two possibilities: 

— If h'(i) = (0,0), return f(i) to A as value for f(i). 

— Otherwise, return y' ni ^ h ,^ ■ 

• When A asks for g(i,j) for some i,j G [N 2 ], there are two possibilities: 

— If 7T2(/i'(i)) = ^2(h'(j)) 7^ and either s is true and i < j or s is false and i > j, return 
w as value for g(i,j). 

— Otherwise, return g(i,j). 

Suppose A happily returns the pair (i,j) for which it was told that g(i,j) = w, which is what a 
successful eavesdropper is supposed to do. This pair is in fact the answer to the search problem con- 
cerning function h! . Indeed, g(i,j) = w for only the pair for which 7T2 (/»'(*')) = 7T 2(h'(j)) / 0, 
except with the negligible probability that g(i',j') = w for some query (i',f) that A asks about g. 
However, we need an additional condition for the reduction to create an environment identical to 
the real one: if y 6 Y then h'(f~ 1 (y)) = (0,0). This is required for all elements in Y \ Y' to be 
accessible when A is querying / in the reduction. Fortunately, it is easy to see that this condition 
is satisfied except with vanishing probability when k is large enough. 

Provided this condition is satisfied, queries asked by A concerning / and g are answered in the 
same way as they would be if both / and g were random functions consistent with the Y, Y' and 
w announced by Alice and Bob during the execution of the protocol. To see this, remember that 
Y and Y' (subsets of [N k ]) and w (element of [N k ]) are uniformly picked at random in both the 
simulated and the real worlds. Moreover, the simulated function / is such that f(i) is random 
when h'(i) = (0, 0). Among these N 2 — y/N input values, there are exactly N — yN output values 
in Y \ Y' , as expected by A. The remaining yN input values % also satisfy f(i) G Y' as it should 
be. On the other hand, the simulated function g is random everywhere except for one single input 
pair ^ j, for which g(i,j) = w, as it is also expected by A. Therefore, A will behave in 

the environment provided by the simulation exactly as in the real case. Since we disregard the 
negligible possibility that g might not be be one-to-one, the reduction solves the search problem 
concerning h' whenever A succeeds in finding the key. Notice again that each (new) question asked 
by A to either / or g translates to one or two questions actually asked to hf. 

It follows that any successful cryptanalytic strategy that makes o(A^ 13 / 12 ) total queries to / and 
g would solve the search problem with only o(A fl3//12 ) queries to function h' , which is impossible 
by Lemma HI except with vanishing probability. This demonstrates the £l(N 13 ^ 12 ) lower bound on 
the quantum cryptanalytic difficulty of breaking our classical key establishment protocol, which 
matches the upper bound provided by the explicit attack discussed in Sect. 14.11 □ 
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5 Late Breaking News 



Very recently, we have developed improved protocols, which will be the topic of a subsequent 
paper. Here, we simply sketch these protocols and claim their security. We still need two black-box 
random functions, the first one of which is unchanged: / : [iV 3 ] — > [N k ] for the quantum protocol 
and / : [iV 2 ] — > [N k ] for the classical protocol. The second one is t : [N 3 ] — > [N h> ] or t : [N 2 ] -> [N k '}, 
depending on whether the protocol is quantum or classical. As before, k is chosen sufficiently large 
to make / one-to-one except with negligible probability. The condition on k' is slightly different: 
we choose it large enough to ensure that t(a) © t(b) © t(c) © t(d) ^ whenever {a, b, c, d} contains 
at least three distinct elements in the domain of t, except with negligible probability, where "ffi" 
denotes the bitwise exclusive-or. 

Steps [TJ [2] and [5] of the new quantum protocol are exactly as in Protocol [TJ At Step [3j Bob 
sends back w = t(x) © t(x') to Alice. At StepEJ Alice uses her knowledge of X to determine x and 
x' from w. The solution is unique, except with negligible probability, provided Bob reorders x and 
x' if necessary so that f(x) came before f{x') in the list Y received from Alice at Step [TJ If we 
care only about the number of queries to the black-box functions, it is obvious that classical Alice 
can find this pair with exactly N additional queries to function t. Nevertheless, if we also care 
about computation time, one might think that Alice has to use quantum computation (Grover's 
algorithm) in order to find this unique pair in linear time among the N 2 pairs of elements of X. 
However, it is a simple exercise (left to the reader) to compute this pair classically in 0{N log N) 
time by sorting or even O(N) expected time by universal hashing [10J. A proof very similar to that 
of Theorem [2] shows that the best quantum cryptanalytic attack on this scheme requires 0(iV 5 / 3 ) 
queries. Hence, this scheme is exactly as secure as Protocol [TJ but it has the advantage of requiring 
only Bob to use quantum-computational capabilities, much as was the case in Ref. [8]. 

The advantage of this technique is more spectacular when we consider fully classical protocols. 
Indeed, it suffices to reduce the domain of / and t from [iV 3 ] to [iV 2 ] to make it possible for classical 
Bob to compute x and x' efficiently at Step [2] (as in Protocol [2]), but now Steps [3] to [5] can be 
exactly as above since Alice was already classical. The first benefit of this approach is that there is 
no need for Bob to transmit subset Y' as in Protocol [2j The much more important benefit is that 
this deprives the eavesdropper from useful information. As a consequence, we can prove that the 
best quantum cryptanalytic attack on this scheme requires 0(-/V 7//6 ) queries. This is strictly better 
than Protocol [2J which was broken with a mere e(jv 13 /i2) queries. 

6 Conclusion, Conjectures and Open Questions 

We presented an improved protocol for quantum key establishment over a classical channel and the 
first purely classical protocols for key establishment that are secure against a quantum adversary. 
Is it possible that they are optimal (0(iV 5//3 ) quantum queries would be required to break the best 
quantum protocol and 0(iV 7//6 ) for the best classical protocol)? We conjecture that they are not. 

Indeed, we have discovered two sequences of protocols Qi and Ci for t ^ 2 (which we shall 
describe in a subsequent paper) with the following properties. In protocol Qg, a classical Alice 
establishes a key with a quantum Bob after O(N) accesses to a random oracle in such a way that 
our most efficient quantum eavesdropping strategy requires the eavesdropper to access the same 
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random oracle Q(N expected times. In protocol Cg, purely classical Alice and Bob establish 

a key after O(N) accesses to a random oracle in such a way that our most efficient quantum 
eavesdropping strategy requires the eavesdropper to access the same random oracle 0(A2 + «+t) 
expected times. 

Our attacks proceed by quantum walks in Johnson graphs similar to those exploited in the 
proofs of Theorems [T] and [3] to obtain optimal attacks against our protocols Q] and If they are 
the best possible against our new protocols as well, then key establishment protocols a la Merkle 
can be arbitrarily as secure in our quantum world as they were in the whimsical classical world 
known to Merkle in 1974: arbitrarily close to quadratic security can be restored. The obvious open 
question is to prove the optimality of our attacks. It would also be interesting to find a quantum 
protocol that exactly achieves quadratic security. . . or better! Indeed, even though it has been 
proven in the classical case that quadratic security is the best that can be achieved [3J, there is no 
compelling evidence yet that such a limitation exists in the quantum world. 

If our quantum attacks against the classical protocols are optimal, classical Alice and Bob can 
establish a secret key against a quantum eavesdropper with as good a security (in the limit) as it 
was known to be possible for quantum Alice and Bob before this work [8j. The main open question 
would be to break the f2(iV 3//2 ) barrier or prove that this is not possible. 

Even though our protocols Qi and C( require classical Alice to access the random black-box 
functions only N times, she has to work for a time in 0(iV^/ 2 l) to complete her share of the 
protocol, which is more than linear when I 3. Could similar protocols exist in which Alice would 
be efficient even outside the required calls to the black-box function? 

Finally, our lower bounds prove that it is not possible for the eavesdropper to learn Alice and 
Bob's key (x,x'), except with vanishing probability, unless she queries the black-box functions 
significantly more than the legitimate parties. However, we have not addressed the possibility for 
the eavesdropper to obtain efficiently partial information about the key. We leave this important 
issue for further research. 
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Appendix: Quantum Query Complexity 



In our protocols, the work of the different parties is quantified by the number of queries made to 
black-box random functions, which can be modelled by a binary random oracle. In this Appendix, 
we review the main results from quantum query complexity that we used to prove our results and 
we sketch a new technical result that is needed for our lower-bound proofs. 

Upper Bounds 

Our attacks can be modelled as quantum walks on Johnson graphs. The graph J(n, r) is an 
undirected graph in which each node contains some number r of distinct elements of [n] and there 
is an edge between two nodes if and only if they differ by exactly two elements. Intuitively, we may 
think of "walking" from one node to an adjacent node by dropping one element and replacing it 
by another. The task is to find a specific A;-subset of [n]. The nodes that contain this subset are 
called marked. 

A random walk P on a Johnson graph can be quantized and the cost of the resulting quantum 
algorithm can be written as a function of S, U and C. These are the cost of setting up the quantum 
register in a state that corresponds to the stationary distribution, moving unitarily from one node 
to an adjacent node, and checking if a node is marked in order to flip its phase if it is, respectively. 

Theorem 5. JU \18\j Let M be either empty, or the set of vertices that contain a fixed subset of 
constant size k ^ r. Then there is a quantum algorithm that finds, with high probability, the k-subset 
if M is not empty at an expected cost in the order of 



where 5 = n/r(n — r) is the eigenvalue gap of the symmetric walk on J(n,r) and e = ^(^r) is the 
probability that a random node is marked. 

Lower Bounds 

The central technical part of our lower bound consists in analysing the complexity of a function 
closely related to the hardness of breaking the key establishment protocols. This function is obtained 
by composing element distinctness and a variant of the search problem. Recall that X' denotes 
X U {0}, where X is an arbitrary set of integers. 

Consider two integer parameters k and rj and three functions c : [n] — > [k], v : [n] —> [rj\ and 
h : [k] x [77] — > [k]' so that there exists a single pair (i, j), 1 ^ i < j ^ /t, for which c(i) = c(j), 
which is called a collision, and 



The task is to find the unique nonzero collision in h, having only access to a black-box that 
computes h. This can be thought of as searching among r] possibilities for the sole nonzero h(i, •) 




.k 




otherwise . 
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for each i and then finding two of those elements, among k possibilities, that are not distinct. Our 
main technical lemma, below, gives a lower bound on the number of queries to h that are required. 

Lemma 5. Finding a nonzero collision in h, structured as above, requires fi(«; 2//3 r/ 1//2 ) quantum 
queries to h, except with vanishing probability. 

It is more convenient to prove this lower bound for the related decision problem: we are given 
a function h of the type above, but it is either based on a function c that has a single collision 
(as above) or on a one-to-one function c (in which case h is collision-free, except for value in 
its image). The task is to decide which is the case. Obviously, any algorithm that can solve the 
search problem with probability of success at least p > can be used to solve the decision problem 
with error bounded by \ — \: run the search algorithm; if a collision is found (and verified), output 
"collision" , otherwise output either "collision" or "no collision" with equal probability after flipping 
a fair coin. It follows that any lower bound on the bounded-error decision problem applies equally 
well to the search problem. 

We shall change the notation in order to adapt it to the normal usage in the field of quantum 
query complexity. The function c : [k] — > [k] is represented by an element of [k] k . This makes it pos- 
sible to think of the decision version of element distinctness as a Boolean function ED : [k] k — > {0, 1}, 
although it is a partial function since there is a promise on the valid inputs to ED: given n integers 
{z\, . . . , z K ) £ [n] K , the promise is that either all the elements are distinct or that all the elements 
are distinct except two, say z% ^ Zj. The goal is to decide which of the two cases occurs by making 
as few queries as possible to the function that returns Zi on input i. 

Ambainis' element distinctness quantum algorithm [2] runs in queries to the input, and 

Aaronson and Shi proved that this is optimal [I]. Although the lower bound was proven using the 
polynomial method [I], a recent theorem of Ref. [15] shows that the generalized adversary bound 
is tight for total and partial functions. Since our proof of the lower bound is derived using the 
generalized adversary method |14j . we may conclude that there exists an J7(k 2//3 ) adversary bound 
for element distinctness. 

We compose the element distinctness problem with k instances of a promise version of a search 
problem, which we call pSEARCH. 

Definition 1. pSEARCH : P — > A with P C (A'y is a promise problem. On input (a%, . . . , a„) ; 
the promise P is that all but one of the values are zero. The goal is to find and output this nonzero 
value by making queries that take i as input and return ai. 

The composed function, with A = [k], is denoted H. On input x G P K , 
H(x) = ED(pSEARCH(xi), . . . , pSEARCH(x K )). 

We now prove that the quantum query complexity of H is in 

^2/3^1/2) The proof 

uses 

the generalized adversary method for quantum query complexity, which we briefly describe here. 
Suppose we want to determine the quantum query complexity of a function F. First, we assign 
weights to pairs of inputs in order to bring out how hard it is (in terms of number of queries) to 
distinguish these inputs apart from one another. The adversary lower bound is the worst ratio of 
the spectral norm of this matrix, which measures the overall progress necessary in order for the 
algorithm to be correct, to the spectral norms of associated matrices, which measure the maximum 
amount of progress that can be achieved by making a single query. 
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Definition 2. Fix a function F : S — > T. A symmetric matrix V : S x S —> R is an adversary 
matrix for F provided T[x, y] = whenever F(x) = F(y). Lei Di[x, y] = 1 i/x^ 7^ and otherwise. 
The adversary bound of F using V is 



where o denotes entrywise (or Hadamard) product, and \\A\\ denotes the spectral norm of A (which is 
equal to its largest eigenvalue). The adversary bound ADV =t (F) is the maximum, over all adversary 
matrices T for F ; o/ADV ± (F ; r). 

Since H is defined as the composition of ED and pSEARCH, we would like to apply a composition 
theorem for the generalized adversary method [14], which would say that if a function H = F o G K , 
then ADV ± (H) ^ ADV ± (F) • ADV ± (G). Unfortunately, the composition theorems of Ref. O [15] 
require the inner (and outer [14j) functions to be Boolean, which is not the case here for the inner 
function pSEARCH. Since counter-examples can be found, we cannot hope to prove a fully general 
composition theorem in which the inner function would be an arbitrary function. Nevertheless, we 
prove here a composition theorem with pSEARCH as the inner function. 



Theorem 6. Let F : A K — >■ B, pSEARCH : P -)■ A with P C (A 1 ) 11 as described above, and 
H = Fo P SEARCH K . Then 



The inner function can be slightly more general than pSEARCH. For example, it could be that 
the element we search for is hidden in several places. The proof also goes through if the instances of 
pSEARCH operate over distinct domains (A'^. We leave for further research the extent to which 
our theorem can be generalized and proceed to prove it as stated. 

Proof. We prove the theorem using only a few properties of pSEARCH, which we describe below. 
In order to disambiguate the k instances of pSEARCH, and to simplify notation, we write the inner 
functions as Gi, . . . , G K : P ->■ A with P C (A') 11 , \A\ = M, and \P\ = Mn. We use the fact that 
Gj is 77-to-l for all i. We assume that inputs are sorted according to the output value. We use two 
crucial properties of pSEARCH. 

1. The Mr] x Mr] optimal adversary matrices Tj for Gj can be written in block form with M x M 
blocks of size n x 7/ indexed by pairs of outputs in which all off-diagonal blocks are identical. 
Written in this form, all M diagonal blocks are necessarily zero since it is an adversary matrix. 

2. The Mn x Mr] matrix D q , with inputs sorted in the same way, is also composed of identical 
off-diagonal blocks A q and A' q on diagonal blocks. Notice that this strongly depends on Gj, 
since the inputs are sorted by output value. 

For any function F, consider H = F o (Gi, . . . , G K ). We show that for all adversary matrices Tj for 
Gj of the form Tj = (Am — Im) ® Si, where Si is an rj X rj symmetric matrix, 



ADV ± (F ; r) 




ADV ± (H) ^ -ADV ± (F) • ADV ± (pSEARCH). 



7T 



ADV ± (H) ^ ADV ± (F) •minADV ± (G i ;r i ). 



(1) 
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To prove this, we define an adversary matrix Th for H and compute its spectrum. The largest 
eigenvalue of Th and Th ° Dg give our lower bound on ADV^H). 

Let us introduce some notation that we will use throughout the proof. Inputs to H are written 
x,y G P K . Each x G P K breaks into x = (x%, . . . , x K ). The result of applying the inner functions 
to x = (xi, . . . , x K ) is written x = (x\, . . . , x K ) = (Gi(xi), . . . , G K (x K )). Each Xj G P, seen as an 
element of (^4')^) a l so breaks down into its components, which we write Xj = ((xj)i, . . . , (xj)„), 
where each component (xi)j is an element of A'. 

The structure on Tj allows us to consider it as M x M blocks, each of size jj x r/, as follows. 
Lines and columns of Tj, indexed by inputs of the form x, = (ai, . . . , a v ) 6 P, are sorted according 
to the value x« = Gj(xj). The submatrix Y^ 1 '^ is the restriction of T{ to the rows and columns 
such that Gj(xj) = x» and Gj(yj) = in. Denote by Im and 1m the M x M identity matrix and 
all-one matrix, respectively. When Tj = (1^ — Im)® Si, the diagonal blocks are the all-zero matrix 
and the others are equal to the matrix Si. 



/0 Si ■■■ Si\ 

Si o ■■. s 



\Si Si 



D n 



0/ 



Va, a, 



Figure 1: The matrices I\ and I? ? are decomposed into blocks T 



and D, 



A, 

a;; 

respectively. 



Each block labelled x%,yi contains inputs Xi,yi, which map to the same output value, 
that is, Gi(xi) = x\ and G t (y t ) = 

We define Th on blocks labelled by (x,y) G A K x ^4 K . The submatrix r[^'^ is the restric- 
tion of Th to the rows and columns indexed by x = (xi, . . . , x K ), y = (yi, . . . , y K ) G P K such that 
(Gi(xi), . . . , G K (x K )) = x and (Gi(yi), . . . , G K (y K )) = y: 



^f[x,y] 




(2) 



Here, we have used the modified adversary matrices 

Tj = Ti + H^j ||/mt7 j 

which adds to the diagonal, to prevent zeroing out the block of H when x\ equals yi on one of 
its components. The fundamental property of Y\\ is that its norm is the product of the norms of 
the matrices Tf and Si. 



Claim 1. For the matrix Th defined as above, \\Th\ 



n- 



IS'/ 



We defer the proof of this claim and first see how it implies Equation [TJ Claim [T] gives us the 
norm of Th, and it remains to compute maxj ||Th ° Dg\\ (Definition [2]) . Let us turn to the matrix 
r h o Di to see that it shares the structure of Th so we can also apply Claim Q] to compute its norm. 
Recall that the domain of H is P K , where P C {A 1 ) 71 . An index I into an input x to H decomposes 
into j)£ [/e], an index within x, and the index q G [rj\ within vector in (A') 11 . 
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Claim 2. ||r H o D e \\ = \\T F o D p \\ ■ \\S P a A g || • [J^ ll^||. 

Proof of Claim [H Restricting to the block labelled by x and y, Ref. [14] shows that 

(T H o = (T P oD p )[x,y]-(T p oD q f p '" p) ® I (9)rf i,5i) I . C>>) 




Here we use the second property of pSEARCH: for each g, there exist matrices A q and A' such 
that when restricted to blocks, D q = (1m — Im) <8> + -Til/A' . Therefore, T p o D 9 has the same 
block structure as T p and by Claim [lj we get the expression for ||Th o D(\\ given in Claim [2j □ 

Equation [1] follows from Claims [1] and [2 

ADV ± (H;r H ) = min l|rp|1 FEU 



p,q ||r F o Dp 1 1 \\s p o a 3 || • Yl^p \\Si\ 

IITfII 



mm ■ 



p,<? ||Tf o D p \\ \\S P o Aq|| 

• i J^fII . IISpl 

<S mm — — — r mm ■ 



V \||rFoDp|| q ||5 p oA g | 

From the fact that [ j ] | = (M — l)||Si|| and \\Ti o D p \\ = (M - l)\\Si o A p ||, it follows that 

ADV ± (G p ;r p ) = min (4) 

q \\b v Ol\ g \\ 



and therefore 



ADV ± (H ; r H ) > ADV ± (F) • min ADV ± (G„; r„ 

q 



Proof of ClaimUl We first prove ||Fh [| ^ \\^f\\ ■ Eli ll^ll- The proof proceeds in four steps. 

1. We define a set of vectors {<5«, c } in C^ M ^ K . 

2. We prove that they are eigenvectors of Th and give the corresponding eigenvalues. 

3. We show that we have defined all eigenvectors and eigenvalues of Th- 

4. We upper bound the eigenvalues in absolute value. 

Similarly to the way we built up Th from 1~V and the T,, we construct eigenvectors for Th using 
the eigenvectors for Tf and the S% as building blocks. We need some more notation before starting 
the proof. The spectrum of 5, is , with eigenvalues |Ai,i| ^ ••• ^ W,rj\- For Xi,Vi £ -A, 

we use the following notation: 

if Xi / y h 



|5,|| otherwise. 
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As we can see from the following eigenvalue equation, A^y^ 1 is the eigenvalue of y[ Xi '^ associated 
with the vector 5, 



\Si\8ij otherwise 



= Kf'kr (5) 

Given a vector of indices c = (ci, . . . , c K ), Cj S [77], we build up our eigenvectors for Th by picking 
the Cj th eigenvector for the i th inner function (see Step 1). For c = (ci,...,c K ), the M K x M K 
matrix A c is defined by blocks 



Ci 

1 



A c [x,y] = T F [x,y)-l[Xl 

i- 

and we write its spectrum 

{(«.M«,c)}- 



Step 1: We are ready to define the eigenvectors 5 a;C of T^. We define the vectors 5 afi on the 
block 8a) c of coordinates cc G P K such that (51(3:1), . . . , gk(x K )) = x: 



ax 




Notice that because of the structure of the T{, it suffices for our purposes to build up the eigenvectors 
of Th from the eigenvectors of the underlying Si, which considerably simplifies the proof. 



Step 2: We claim that the S ac are eigenvectors of Th with corresponding eigenvalues n ac - 
We want to calculate Th^c- We do this block by block. Fix x £ A K . Using the eigenvalue 
equation ([5]), we get 

®^ A) ®^=nAg*®^. (6) 

i=l i=l 1=1 i=l 

Then 




= £ r F [x, y]a[y] • J] A**f* • (g) <5 i>C( (by Equation E} 

8/ » » 

= ^4p)a[l(g)^ 

y » 

= /j a)C a[x] • (g) (5i )Cj 
i 
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Step 3: We prove that the vectors <5 Q)C span <C^ M ^ . There are rf matrices A c , and each one has 
M K eigenvectors a. Therefore, {<5 a , c } is a collection of (r)M) K vectors. We now prove that they are 
orthogonal. Notice that 

<<WAv> = £<C'<C'> 

X 

= a[x]a'[x] ■ ]J{6i, Ci , <5 i>c /) 

£ V i=l ) 

K 

= (a,tJ)-Y[{5 itCi ,S i)l /). 
i=i 

If <5 Q , C <5 a ',c'j it must be the case that either c / or a / a'. Assume c / c'. Then for some i, 
5i,Ci 7^ 5j jC < and since these vectors form an orthonormal basis of O, we get (Si iCi , &i, c ') = 0- Now if 
c = c', then a / a'. Again, these vectors form an orthonormal basis of C M " and we get (a, a') = 0. 



Step 4: We prove by induction that the eigenvalues \x a ,c of V\\ are such that |/x a ,c| ^ H^fII "Ili ll^ll 
for all a and c. For i G [k] and c G [ry] K , we define a family of matrices Ac ^ inductively as follows: 

1. 4 0) = r F> 

2. 4 l) [x,y]=4 l " 1) [x,y]-Af;f'. 

By definition, A ( c k) = A c . We prove by induction that for each i, 

ll4 l) IKI|r F ||-n ll^-ll- 

Since /x aiC is an eigenvalue of A c , this implies |/x Q)C | ^ ll-^-cll ^ II^fII ' Ili ll^ll- 

Since 4°^ = Tf, the base case is trivial. Assume that for some i, \\A C % ^|| ^ || Tf || ■ Il}=i ll^j'll- 
By rearranging the rows and columns of Ac ^ as before, we can consider that it is formed of M 2 
blocks with the following structure: the block labelled (u, v ) G A x A contains the entries 4* ^ [x, y] 
such that Xi = u and yi = v. Now, to form A c l \ the diagonal blocks of 4* l \ labelled (u,u), are 
multiplied by \\Si\\ and the others are multiplied by the same factor Aj )Ci , which is at most ||<Sj||. 
We claim that under this operation, the norm of the matrix increases at most by a factor 

Define B = , . 1 , 4^ — Ac ^ . This block diagonal matrix contains the diagonal blocks of Ac ^ 
multiplied by Tj = — r|pi|| — 1, while the other blocks are set to 0. In other words, B is a direct 
sum of operators acting on disjoint subspaces E\, . . . , Em- It follows that 

1. any eigenvalue of B is associated with an eigenvector whose support is in E t for some t, and 

2. for any vector v whose support is in E t for some t, \\Bv\\ ^ ||rj4 l-1 ^||- 
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This implies \\B\\ ^ Ti\\A^ Finally, writing = \\i )Ci \{A^ ^ + B), we have 

< |Ai^(ll4 <_1) ll + ITO 

Since Aj jCi is an eigenvalue of Si, it is the case that n ^ 0, so 1 + |rj| = p— Finally: 

||4«K ll^ll -ll^ll- 

The induction hypothesis allows us to conclude the proof of step 4, which completes one direction 
in the proof of Claim [TJ 

We now prove the other direction: ||Th || ^ 1 1 Tf 1 1 ' Ili ll^ill- Taking c = (1,...,1), we 
have IIThH ^ H^cll- By definition, 74 c [x,y] = rp[5,y] • Ilill'Sill) which immediately implies that 
IIThH HTfII • Yli \\Si\\. This completes the proof of Claim[TJ □ 

To complete the proof of Theorem^ we choose the matrix Si = t v and take Tj = (Ijw — Im)®^ 
for the adversary matrix of Gj = pSEARCH, for each i. We verify that D q has the necessary block 
structure. Indeed, for each output pair o, b of pSEARCH, if a ^ b then the block is all zero except 
in the line and column indexed by q, where it is 1, since the q th line corresponds to the input where 
a is hidden in position q and the q th column is the input where b is hidden in position q. Further, 
if a = b then the block in D q is 1 in column q and line q except in position [q, q) where it is zero. 
By direct computation, ||Sj|| = r\ and \\Si o A q \\ = \pr\ — 1. Using Definition [2] and Equation [T] 
(with Gj = pSEARCH), it follows that 

IIC II 

ADV ± (pSEARCH) > ADV ± (pSEARCH; Y\) = min ..} % „ = . V > Jn. (7) 

g \\bi oA q \\ vr/-l 

On the other hand, we know from the universality (up to a factor 2) of the generalized adversary 
bound [TS] and Ref. [6] that 

ADV ± (pSEARCH)/2 ^ Q(pSEARCH) ^ , (8) 
where Q denotes the quantum query complexity. Equations [7] and [8] imply that 

ADV ± (pSEARCH; Tj) > - ADV ± (pSEARCH) . 
Theorem [6] now follows from Equation [TJ □ 

Proof of Lemma (5[ Lemma [5] follows by using the known quantum query complexity lower bounds 
for ED, which is 0(k 2 / 3 ) pQ. □ 

It is interesting to note that the lower bound for ED was obtained by the polynomial method [3J. 
Even though we do not know how to calculate the optimal adversary matrix for ED, we know that 
it exists and matches the lower bound since the generalized adversary bound is tight up to a factor 
of two |15j . Hence we can safely use our knowledge that this matrix exists even though we do not 
know it explicitly. To the best of our knowledge, Lemma [5] is the first lower bound whose proof 
depends crucially on both the polynomial and the generalized adversary techniques. 
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